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Abstract 


We describe an algebra of Edge- Valued Decision Diagrams (EVMDDs) to encode arithmetic func- 
tions and its implementation in a model checking library along with state-of-the-art algorithms for 
building the transition relation and the state space of discrete state systems. 

We provide efficient algorithms for manipulating EVMDDs and give upper bounds of the the- 
oretical time complexity of these algorithms for all basic arithmetic and relational operators. We 
also demonstrate that the time complexity of the generic recursive algorithm for applying a binary 
operator on EVMDDs is no worse than that of Multi-Terminal Decision Diagrams. 

We have implemented a new symbolic model checker with the intention to represent in one for- 
malism the best techniques available at the moment across a spectrum of existing tools: EVMDDs 
for encoding arithmetic expressions, identity-reduced MDDs for representing the transition relation, 
and the saturation algorithm for reachability analysis. We compare our new symbolic model check- 
ing EVMDD library with the widely used CUDD package and show that, in many cases, our tool is 
several orders of magnitude faster than CUDD. 


1 Introduction 

Binary decision diagrams (BDD) [4] have revolutionized the reachability analysis and model check- 
ing technology. Arithmetic decision diagrams [3], also called Multi Terminal Binary Decision Dia- 
grams (MTBDD) [9] are the natural extension of regular BDDs to arithmetic functions. They take 
advantage of the symbolic encoding scheme of BDDs, but functions with large co-domains do not 
usually have a very compact representation because there are fewer chances for suffixes to be shared. 

Edge-valued decision diagrams have been previously introduced, but only scarcely used. An 
early version, the edge valued binary decision diagrams (EVBDD) [13, 14], is particularly useful 
when representing both arithmetic and logic functions, which is the case for discrete state model 
checking. However, EVBDDs have only been applied to rather obscure applications, such as com- 
puting the probability spectrum and the Reed-Muller spectrum of (pseudo)-Boolean functions. 

Binary Moment Diagrams [5] were designed to overcome the limitations of BDDs when en- 
coding multiplier functions. However, their efficiency seems to be limited only to this particular 
type of functions. A new canonization rule for edge-valued decision diagrams enabling them to 
encode functions in Z U {+oo} was introduced in [7] along with an extension to multi-way dia- 
grams (MDD) [12], but, again, this was applied to a very specific task, of finding minimum length 
counterexamples for safety properties. Later, EVMDDs have been also used for partial reachability 
analysis. 

In this paper we first present a theoretical comparison between EVMDDs and MTMDDs for 
building the transition relation of discrete state systems before dealing with an implementation in a 
model checker along with state-of-the-art algorithms for state space construction. 


2 Background 

2.1 Discrete-state Systems 

A discrete-state model is a triple ( S , So,T), where the discrete set S is the potential state space of 
the model; the set So C S contains the initial states', and T : S — > 2 s is the transition function 
specifying which states can be reached from a given state in one step, which we extend to sets: 
T{X) = |J T(i). We consider structured systems modeled as a collection of K submodels. A 

iex 

(global) system state i is then a A'-tuple (ij <, . . . , if), where iy. is the local state for submodel k, for 
K >k> 1, and S is defined as Sk x • • • x Si, the cross-product of K local state spaces .S), : , which 
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we abstract to {0, , rik — 1}. The ( reachable ) state space R C S is the smallest set containing So 
and closed with respect to T, i.e. 

R = So u T(S 0 ) U T(T(S 0 ) U • • • = T*(S 0 ). 

Thus, R is least fixpoint of function A - i— > So U T{X). 

2.2 Symbolic State-space Generation: Breadth-first vs. Saturation 

The traditional approach to generate the reachable states of a system is based on a breadth-first 
traversal, as derived from classical fixed-point theory, and applies a monolithic T (even when en- 
coded as T e ). After d iterations, the currently-known state space contains all states whose 

e£E 

distance from any state in So is at most d. However, recent advances have shown that non-BFS, 
guided (or chaotic) exploration can result in a better iteration strategy. 

An example is the saturation algorithm introduced in [6], which exhaustively fires all events of 
Ek in an MDD node at level /Q thereby greedily bringing the node to its final “saturated” form. 


2.3 Decision Diagrams 

We assume implicitly that the decision diagrams are ordered , i.e. the variables labeling nodes along 
any path from the root must follow the order xk , • . . , X\. Ordered DDs can be either reduced (no 
duplicate nodes and no node with all edges pointing to the same node, but edges possibly spanning 
multiple levels) or quasi-reduced (no duplicate nodes, and all edges spanning exactly one level), 
either form being canonical. 

We also adopt the extension of BDDs to integer variables, i.e., multi-valued decision diagrams 
(MDDs) [12], MDDs are more naturally suited to represent the state space of arbitrary discrete 
systems than BDDs, since no binary encoding must be used to represent the local states for level k 
when n k > 2. An even more important reason to use MDDs is that they allow us to better exploit the 
event locality present in systems exhibiting a globally-asynchronous locally-synchronous behavior. 


3 EVMDDs 

3.1 Definition 

Definition 3.1 An EVMDD on a group (G, *), is a pair A = (v, n) where v £ G will also be noted 
A.val and n, also noted A. node, is a node. 

A node n is either the unique terminal node (0, e) where e is the identity element of G or a pair 
{k : p) where 1 < k < K and p is an array of edges of size n k ■ The first element of the pair will be 
denoted k = n. level and, when relevant, the element of index i in the array will be denoted by n[i\. 

Additionally, the notation n[ik, ■ ■ ■ , ik'] is used as a shortcut for n[ik] ■ ■ ■ [ifc'J.node. 

Definition 3.2 An ordered EVMDD is an EVMDD in which every node n satisfies 

V* £ S n . level ■ n[i}- node. level < n. level 

As already mentioned, we only consider ordered EVMDDs. The canonicity of unordered EVMDD 
is significantly more complex to establish. 

1 T is then encoded as a disjunction T e of events e and E is then divided in [^J E k with each E k grouping 

e£E l<k<K 

events not depending on submodels above k and not affecting them. 
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Example 3.1 Graphs are a convenient representation for EVMDDs. For ordered EVMDDs, the 
graph directed by node levels is acyclic. Graphically, the terminal node is represented by a circle at 
bottom and internal nodes are drawn above according to their level, with all edges pointing down 
to children nodes. Examples of graph representation of EVMDDs are given in Figure^ 7] 



Figure 1 . Three EVMDDs on 

Z, (*2,2:1) X\. 


B C 



Definition 3.3 Given a node n with n. level = k and i k ,...,i k i £ Sk x . . . x Sk 1 , we define 
Tllfik 5 • • • 5 ik 1 ) 

. \ _f n[ifc].val if n[i k }. node. level < k! 

n [i fc ].val*n[i fc ].node(i n [ jfc ]. node . level ,...,* fc /) ifn[i k ]. node.level > k' 

This allows the definition of the represented function for any EVMDD A as 

/ : S —> G 

(Ik , ■ . • , it) 1 * Aval * H.node( 2 ^ 4 no de. level, ■ • • , £1) 

In other words, n(i k , ■ ■ ■ ,ik') is the repetitive application of law * on edge values along the path 
going down from node n and following directions given by (i k , . . . , i k >). Hence f(ix, . . . , £1) is * 
on a path from the root to the terminal node of A. 

In this setup, every EVMDD A represents a function / : S — > G. The reciprocal is also true: 
given a function /, an EVMDD A representing / can be built by setting the values of all edges of A 
to the identity element e of G, except those pointing to the terminal node, which take proper values 
f(i k , . . . ,i\) according to the incoming path leading to it. 

Example 3.2 In Figure [7] the EVMDD B is built from f : {0, l} 2 — > Z, (* 2 ,^ 1 ) >— >■ £2 x ^t- 
according to the method explained above. 

Definition 3.4 A redundant node n has all outgoing edges identical 

\/i,j £ S n . level • n[i] = n[j } 

A reduced EVMDD contains no duplicate or redundant nodes. 


3 


Definition 3.5 A quasi-reduced EVMDD contains no duplicate nodes and all internal nodes n have 
all the descendants on the level below 

Vi £ S n . level • n[i]- node. level = n. level — 1 

From any EVMDD A , we can build a reduced EVMDD representing the same function by just 
deleting nodes with all children identical and redirecting the incoming edges to its unique descen- 
dant. Similarly, from any EVMDD A, a quasi reduced EVMDD can be built by adding nodes with 
all children identical on edges spanning multiple levels. 

Example 3.3 In Figure^on the preceding page A is reduced, whereas B and C are quasi-reduced. 

For the sake of simplicity we will only consider quasi-reduced EVMDDs in the following dis- 
cussion. However, proofs and algorithms for the reduced version are very similar, only slightly more 
evolved in order to deal with edges skipping levels. We will turn back to reduced EVMDDs only for 
implementation since they are never larger in size than their quasi-reduced counterpart, hence could 
have more efficient algorithms. 

As can be seen in the previous example, even when restricting to quasi-reduced diagrams, the 
EVMDD representation of a function / may not be uniquely defined. 

Definition 3.6 A canonical node is either the terminal node or a node n such that n[0].val = e. 

A canonical EVMDD is an EVMDD in which all nodes are canonical. 

It can be proved that for every function /, there exists a unique canonical EVMDD representing 
it [7], 

In the following, EVMDDs are assumed to be canonical. 


3.2 Extensions 

EVMDDs can be used even when the algebraic structure is not a group. [7] offers a canonization rule 
for N U {+oo} and (Z, x ) can be handled with the canonization rule “gcd{n[i].val | i £ S n . level} = 
1 and (n[0].val, . . . , n[n„.i evel ].val) > lex 0”. 

It is also interesting to notice that EVMDDs are just a generalization of binary decision diagrams 
with complemented edges, as presented for example in [11]. Indeed, they are edge-valued diagrams 
on G = Z/2Z and complemented (respectively not complemented) edges corresponding to value 1 
(respectively 0). 


4 EVMDDs compared to MTMDDs 

MTBDDs are commonly used in model checking to build the transition relation of discrete-state 
systems. In this section we show that EVMDDs are at least as suited for that purpose and oftentimes 
significantly better. In the remainder of this section, we pick, often without loss of generality, 

{G, *) = (Z, +). 

4.1 Space Complexity 

As stated in section 2.2.6 of [13]. 

Theorem 4.1 For any function f, the number of nodes of the EVMDD representing f is at most the 
number of nodes of the MTMDD representing the same function f. 
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Proof. Let A be the MTMDD representing /. From A we construct the EVMDD (not in canonical 
form) A( } by replacing each edge from level 1 to a terminal with value v with an edge with value v to 
the unique terminal node 0 and associating value 0 to all other edges (see Figure[2]for an example 
Then, we iteratively compute the EVMDD Aj~, for each k from 1 to n, through the following process: 



Figure 2. Building the EVMDD A 0 (right) from MTMDD A (left) 


• for each node n at level k, subtract n[0].val from all outgoing edges and add this value to all 
incoming edges; 

• merge all duplicate nodes at level k (by duplicate nodes we mean two nodes having edges x, 
holding same value and pointing to same children for each i in the range of variable Xk). 

See Figure[3]on the next page for an example. 

To prove that Ak and A represent the same function, it is sufficient to see that A and Aq represent 
the same function and that the iterative transformation preserves the sum of values on any path 
(i K . . . . ,ii) from the root of the diagram to the unique terminal node (plus the value of the root’s 
incoming edge) 

Ak -val + A k .\\o<Ae{i Kl . . . ,ii) = A k - i.val + -Afc-i-node(ijc, . . . ,*i) 

Since Ak is in canonical form and since for each k, the number of nodes of ,4 is at most the 
number of nodes of Ak- 1 , we can conclude that the size of an EVMDD is never larger than that of 
the corresponding MTMDD. □ 

This doesn’t prove that EVMDDs always require less memory than MTMDDs since they need 
extra space to store the edge values, but no worse than up to a small factor^] On the other hand, 
EVMDDs can be exponentially better than MTMDD in some cases. For example, the function 

{0,B~1} k -> Z 

K 

( ) i-> y^jkB ^ 1 

fc = i 

2 This process is similar to the one used in section 
EVMDD. 

3 Usually 2, assuming that edge values are as big as node pointers. 


3.1 


on page El to prove that every function can be represented by an 
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Figure 3. Constructing EVMDD A\ (right) from EVMDD Aq (left) 


where ( B 
sented as 


B k+1 - 1 

> 2), requires — — — - — nodes in its 
an EVMDD with only K + 1 nodctQ 


MTMDD representatior 4 5 


whereas it can be repre- 


4.2 Time complexity 


What makes decision diagrams a useful data structure for symbolic model-checking is not only their 
space efficiency but the ability to efficiently compute common operations. 

Section 2 of [9] gives an algorithm to compute any binary operation on MTBDDs. The apply 
algorithm can be easily generalized to MDDs for any n-ary operator It computes its result in 

/ n \ 


time O /,; | j , where /, is the size of MTMDD representing operand i (in nodes). 

Section 2.2 of [13] gives the equivalent Algorithm[T]on the facing page for edge-valued decision 
diagrams. This is the binary version, but n-ary one is very similar for any n £ N*. 

As stated in section 2.2.6 of [13] 


Theorem 4.2 The number of recursive calls of the above apply algorithm is the same for MTMDDs 
and for EVMDDs representing the same functions. 

Lemma 4.1 7vvo paths (i*, ■ • ■ > *fc+i) an d {jK, • ■ ■ , jk+i) lead to the same node in A 
A. node [Ik, ■ ■ ■ ,ik+i] = Anode].)*-, ■ • ■ ,jk+ 1 ] 


if and only if they lead to the same node in A^-i 

Afc-i.node]**-, . . . ,ik+i] = Ak-i[jx, ■ ■ ■ , jk+i] 

Proof. A and A^-i are identical from level k + 1 to level K . □ 

4 Since all terminal values are distinct. 

5 More generally, any linear function requires only one node per level in its EVMDD representation. 
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Algorithm 1 computes any binary operation Do on EVMDDs (v, n) and (V. n') 
apply(D 2 : edge * edge — ► edge, (v, n) : edge, (v r , n ') : edge) : edge 
k <— n . level // = n ' . level since EVMDDs are quasi-reduced 

II base case 

if k = 0 then 

return (ud^ v',t) II t is the unique terminal node 
II lookup in cache 

if CacheFind(D 2 , {v,n), ( v',n '), ( m,r )) then 
return (to, r) 

r <— NewNode(fc) 

for i = 0 to n k — 1 do 

r[i ] <— applying, ( v + n[i].val, ro[*].node), ( v ’ + n'fzj.val, n'[z].node)) 
to <— r[0].val 

for i = 0 to n k — 1 do 

r[*].val <— r[i].val — to 

// check if a node identical to r already exists 
r <— FindOrAdd(r) 

// iave result in cache 
CacheInsert(D 2 , {v,n}, ( v',n '), ( m,r )) 

return (to, r) 


Lemma 4.2 7vvo paths (Ik, ■ ■ ■ ,ik+ 1 ) (jit:, ■ ■ • , Jfc+i) l ea d to the same node in Ak with the 
same value 

A K .no&e[i K , . . . ,i k +i\ = A K .node[j Kl . . . ,j k + 1 ] 
and A K .node(i K , ■ ■ ■ Ak+i) = A K .node(j Kl ■ ■ ■ Jk+ 1 ) 

if and only if they lead to the same node in A k with the same value 

A k .\\ode[i K , . . . ,ik+i] = A fc .nod e[j K , . . .,j k +i\ 
and A k .node(i K , ■ • ■ Ak+i) = A k .node(j K , ■ ■ -,jk+ 1 ) 

Proof. First, let us prove by induction on l, from k to K, that: 


A k .wode[i K , ■ • ■ , i k + 1 ] = Ai.node[i K , ■ ■ ■ , h+ 1 ] 
and Afc.val + A k .wode(i K , ■ ■ ■ Ak+i) = Ai.vsl + Ai.node(i K , • • ■ , i k + i) 

• for l = k, the property trivially holds; 

• if the property holds for a value of l between k and K — 1, it still holds for l + 1, since the 
computation of Ai + 1 from Ai can only merge duplicate nodes at level l + 1 > k + 1. 


□ 

Proof. [Theorem |4.2| We show the proof for the unary version of the algorithm. Proofs for other 
versions are similar, only a bit more verbose. 

If we do not take into consideration the caches, the two algorithms are obviously equivalent so 
what we need to prove is that a cache hit occurs in the EVMDD apply algorithm with diagram Ak 
if and only if it occurs in the MTMDD algorithm with diagram A. In other words, we have to prove 
for every two paths (Ik, ■ ■ ■ , i k + i) and (Jk, ■ ■ ■ ,jk+ 1) that they lead to the same node in A 

A. node [Ik, ■ ■ • , i k + 1] = A.node[j K , . . . ,j k +i] 
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if and only if they reach the same node in Ak with the same value: 

A K .node[i K , • • ■ , ifc+i] = A K .node\j K , ■ ■ ■ ,jk+ 1] 
and A K .node(i K , . . . ,ik+i) = A K .node(j K , ■ ■ • , jk+i) 

Therefore, from lemmas |4~X| on page [6| and |4.2| on the preceding page it remains to prove that 
two paths (ix , • ■ • , i k +i) and (jx , • • • , jk+i) lead to the same node in Ak - 1 

A k -i.node[i K , ■ • -,ik+ 1] = A k -i.node[j K , . . . ,j k+ i] (1) 

if and only if they reach the same node in A k with the same value: 

A k .node[i K , ■ ■ ■ ,h+i] = A k .node[j K , ■ ■ -,jk+ 1] 
and A k .node(i K , ■ ■ ■ ,ik+i) = A k .node(j K , ■ ■ ■ , jk+i) 

• Let us prove that (jT|) implies ([2]). The first part of (|2]i is obvious: if two paths lead to 
the same node before merging, this still holds after merging. Second part is slightly more 
complex. Indeed, A k .node(iK, ■ ■ ■ Ak+i) is just the value attached to edge i k+ 1 of node 
Afc.node[*if , . . . , ifc+2] since all other edges hold value 0. This value is the one reported up 
when constructing A k from A k _i for node A k .node[ix , ■ ■ • , *fc+i] = A k .node[jx, . . . ,j k +i] 
so it is the same for Afc.node(jif, . . . ,j k + 1), which is the second part of ([2j». 

• In the other direction: (|2]) implies <|TJ. 

If ([2]) holds then A k -i.node[iK , ■ ■ ■ , i k + 1] and A k -i.node[j k , ■ ■ ■ - jk+i] are identical (for if 
they were not, then ([2ji does not hold on A k computed from i ). Hence (jTJ, since A k - 1 
doesn’t contain any duplicate at level k. 

□ 

In conclusion, EVMDD computations are at least not slower than the MTMDD equivalent. How- 
ever, particular operators may enable much better algorithms on EVMDDs. 

4.2.1 Addition of Constant: EVMDD +c 

Adding a constant c to an EVMDD (v, n) is just computing (c+v, n), which can be done in constant 
time. 

4.2.2 Multiplication with Scalar: EVMDD xc 

As stated in section 2.2.2 of [13], computing / x c is just multiplying each edge value of EVMDD 
representing / by c, which can be done in time O (|/|). 

4.2.3 Addition: EVMDD + EVMDD 

As stated in section 2.2.2 of [13], addition satisfies the property 

(v,n) + ( v',n ') = ((0,n) + (0 ,n')) + (v + v') 

allowing to cache only edges with value 0, therefore leading to a slightly modified apply , Algo- 
rithm[2]on the next page The complexity of the algorithm to compute / + g is O (|/| |</|). 

It’s also interesting to notice that this algorithm offers a simple upper bound to the size of the 
result of an addition 

\f + g\ < I/I |s| 

4.2.4 Remainder and Euclidean Division: EVMDD %c and EVMDD /c 

As stated in section 2.2.4 of [13], there is no need to cache values equal modulo c, hence the com- 
plexity of these algorithms is O (|/|c). 
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Algorithm 2 computes sum of EVMDDs (v, n) and iv' , n!) 
plus((u,n) : edge, (v' . n!) : edge) : edge 

k <— n. level // = n' . level since EVMDDs are quasi-reduced 

II base case 

if k = 0 then 

return (v + v' , t) II t is the unique terminal node 
II lookup in cache 

if CacheFind(+, (0, n), (0, n'), r ) then 
return (v + v',r) 

r <— NewNode(fc) 
for i = 0 to nk — 1 do 

r[i] <— plus(n[«], n'[i)) 

II check if a node identical to r already exists 
r <— FindOrAdd(r) 

// save result in cache 
Cachelnsert(+, (v,n), {v',n'), ( m,r )) 

return (v + v', r) 


4.2.5 Minimum and Maximum 

Per section 2.2.3 of [13], max {/(x) | x £ iS} and min {/(x) | x £ S'} can be easily computed by 
traversing the graph and caching the result for each node, hence the complexity is O (|/|). 

4.2.6 Multiplication: EVMDD x EVMDD 

As stated in section 2.2.5 of [13], the result of a multiplication can have an EVMDD representation 
of exponential size in terms of the operands. For example, let S be {0, 1} K , / : (%, . . . , Xi) i— > 

K 

Xfc2 fe ~ 2 and g : (xk, ■ ■ ■ > %i) * X\, f and g have both an EVMDD representation with K + 1 

k = 2 

nodes whereas fg needs 2 A nodes (here again, we see the importance of variable ordering, putting 
Xi at top allows fg to be represented with 2 1\ nodes). Therefore, we cannot expect to find an 
algorithm with better worst-case complexity. However, the following equation 

(v,n) x { v',n ') = vv' + v(0,n') + v'(0,n) + (0 ,n) x (0 ,n') 

suggests the alternative Algorithm [3] on the following page. The first product is an integer multi- 
plication done in constant time. The next two are multiplications by a constant done in O (|/|) and 
O (|g|), respectively. The last one is done through recursive calls. The first addition takes constant 
time, the second one takes O (|/| |p|) and produce a result of size at most |/| \g\, hence a cost of 
O (|/| \g\ \fg\) for the last addition. The function times is called O (|/| |p|) times, hence a final 
complexity of O (|/| 2 \g\ 2 \fg\). 

Although we were unable to theoretically compare this algorithm to the generic Algorithm [I] on 
page[7| it seems to perform far better in practice when the size of the result is moderate. 

4.2.7 Relational Operators: EVMDD < c 

Relational operators (<,>,<,>,= and f) are used in building transition relations. Unfortunately, 
the corresponding operations remain somewhat expensive. But, as stated in section 2.2.3 of [13], 
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Algorithm 3 computes product of EVMDDs (v, n) and (v' . ri) 
times((t;,n) : edge, ( v’,n' ) : edge) : edge 

k <— n. level // = n' . level since EVMDDs are quasi-reduced 

II base case 

if k = 0 then 

return (v X v , t) II t is the unique terminal node 
II lookup in cache 

if CacheFind(x, (0, n), (0, n'), r ) then 

return plusc(plus(plus(timesc((0, n), v'), timesc((0, n'), v)), r), v x v') 

r <— NewNode(fc) 
for i = 0 to rik — 1 do 
r[i] <— times(n[i], n'[i\) 

II check if a node identical to r already exists 
r <— FindOrAdd(r) 

// save result in cache 

Cachelnsertf x , (v,n), (v',n r ), ( m,r )) 

return plusc(plus(plus(timesc((0, n), v'), timesc((0, n'), v )), r), v x v ') 


f < g can be computed as / — g < 0 and the operation “less than constant” can be greatly improved 
as shown in Algorithm [4] on the facing page through the use of min and max, which are easy to 
compute from section [4~.~5| on the previous page. 

We also developed Algorithm [5] on page [12] which initially was deemed as “optimized”. The 
idea behind this algorithm is that for a call lt((_,p), _) returning (lb, ub, q), the interval [lb, ub\ is the 
set {c | Vx. p ( x ) < c ^ q (x) = 1}. In other words, [lb, ub] is the exact interval for which the 
relation p < . is given by q. 

The later algorithm is theoretically better than the former in that more cache hits occur. It can 
even be viewed as optimal in the sense that it never creates duplicate nodes from a same node of the 
input EVMDD. However, in practice, this advantage appears quite small in most cases. Moreover, 
in order to implemented it, it requires an ordered cache, such as a search tree, instead of a simple 
hash table and the resulting log factor seems to overcome any advantage. 

Algorithms for other relational operators analogous to <. 


4.3 Versatility 


The advantages of EVMDDs over MTMDDs come at a price of a slightly reduced versatility. Both 
EVMDDs and MTMDDs can be used to represent functions more general than arithmetic functions 
over integers. For MTMDDs, the only restriction is that the domain and co-domain of the encoded 

on page [4] 


function have to be finite. However EVMDDs, despite the extensions of section 3.2 


also require some algebraic structure. For example, they cannot be directly used with floats since 
the sum of two floating point values has to be rounded to be represented as a floating point value. 
In computer arithmetic, [15] encodes floating point functions through integer EVMDDs of their 
binary (bit-level) representation. Even though space efficient, floating point computations on this 
representation remain expensive. 

Another problem affecting EVMDDs but not MTMDDs is false overflow. Indeed, computers 
do not operate over Z proper, but on Z/2 32 Z (for 32bit platforms, or the equivalent structure for 
the appropriate size of integers - 16, 32, 64 bits). Integer overflow is possible when adding edge 
values, even when the represented function may fit within 32 bits. An example of such an internal 
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Algorithm 4 computes (v, n) < c for EVMDD (v. n) and integer c 
lt((u, n) : edge, c : int) : edge 
k < — n. level 

// base cases 

if c — v < min(n) then 

return (0,t) // t is the unique terminal node 
iic — v > max(n) then 

return (l,t) / / 1 is the unique terminal node 

II lookup in cache 

if CacheFind(<, (0, n), c — v, (to, r)) then 
return (to, r) 

r <— NewNode(fc) 
for i = 0 to rifc — 1 do 
r[i] <— lt(n[i], c — v) 
to <— r[0].val 

for i = 0 to nk — 1 do 

r[z].val <— r[z].val — to 

// check if a node identical to r already exists 
r <— FindOrAdd(r) 

// save result in cache 
Cachelnsert(<, (0, n), c — v, (to, r)) 

return (to, r) 


overflow can be seen in figure [d] on the following page. Since Z/2 32 Z is still an additive group, 
these overflows are harmless for addition and multiplication by a constant. The general algorithm 
from section 4.2 on page [6] is not affected either, as it applies operations only on leaf nodes, but 
this observation no longer holds on the other algorithms of this section. A necessary and sufficient 
condition on a function / for not having false overflows in the corresponding EVMDD is 


Vfc G {1, . . . , K} . M(ik , • ■ ■ , ifc+i) e Sk x . . . x Sfc+i . Vifc G Sk ■ 
f(i K , ■ ■ ■ ,ik+i,h,0, ... ,0) - f(i K , • ■ .,ife+i,0,0, ... ,0) does not overflow 

5 Implementation 

Symbolic model checkers such as (Nu)SMV [1] or SAL [2] are based on the library CUDD [10] 
which offers an efficient implementation of BDDs and MTBDDs. For state space generation, they 
use a plain breadth first search (BFS) algorithm. 

Our goal was to implement a new symbolic model checking library featuring EVMDDs for 
transition relation construction and saturation [6] for state space generation. We also developed a 
basic model checking front-end to test the library and compare it to CUDD. Binaries for both and 
model checker sources are available at http : / /research . nianet . org/ ~radu/ evmdd/ 

In this section, we discuss some implementation details before presenting experimental results. 


5.1 Memory Management 

It is well known that model checking can be memory intensive, making memory management a 
critical issue when implementing a decision diagrams library. 
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Algorithm 5 computes (v, n) < c for EVMDD (v. n) and integer c 
lt((u, n) : edge, c : int) : int * int * edge 
k < — n . level 

// base cases 

iic — v < min(n) then 

return (— 00 , min(n), (0, t)) II t is the unique terminal node 
iic — v > max(n) then 

return (max(n) + 1, + 00 , (1, t)) II t is the unique terminal node 

II lookup in cache for an inten’al [lb, ub } containing c — v 
if CacheFind(<, (0, n), c — v, (lb, ub, (to, r))) then 
return (lb,ub, (m,r)) 

r <— NewNode(fc) 

lb < 00 

ub < l-oo 

for i = 0 to nk — 1 do 

lb' , ub> , r[i] lt(n[*], c — v ) 
lb <— ma x(lb, lb' + n[*].val) 
ub <— min(u6, ub' + n[i].\ al) 
to <— r[0].val 

for i = 0 to nk — 1 do 

r[z].val «— r[i].val — to 

// check if a node identical to r already exists 
r <— FindOrAdd(r) 

// save result in cache 

Cachelnsert(<, (0,n), [lb, ub], (lb, ub, ( m,r ))) 
return (lb, ub, (to, r)) 




-2,000,000,000 

{x c 

ID 

0 

/ -294,967,296 


Figure 4. MTMDD (left) and EVMDD (right) encoding the same function over 32-bit integers, 
f :xG{ 0, 1} >-> 2, 000, 000, 000 x (2x - 1). 
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The usual addressing scheme of BDD nodes is through pointers. Here, with MDD, nodes at 
different levels with different variable ranges are of different sizes. For that reason, we chose an 
index-based addressing scheme {lev el, index), allowing to allocate nodes independently at each 
level. 

Decision diagrams algorithms rely heavily on several cache structures. They are usually imple- 
mented as lossy hash tables: upon collision, older entries are simply discarded. We avoided the loss 
of information by choosing dynamically resizing hash tables with chaining. The non-lossy caches 
give slightly faster algorithms at the price of some additional memory. 

Different diagrams often share subgraphs, making explicit freeing of disconnected sub-diagrams 
very difficult. Moreover, symbolic model checking algorithms often produce a large number of 
temporary nodes which rapidly become disconnected (also called garbage). The easiest way to 
reclaim memory is to use some garbage collection procedure. The most commonly used technique 
is via reference counting. This is perfectly suited since diagrams are DAGs, hence avoiding circular 
reference, the main drawback of reference counting. Instead, we chose to use a simple mark & sweep 
algorithm that proved to be both simple and efficient, because it requires minimal book-keeping. We 
keep reference counting only as an interface with library users. 


5.2 Encoding the Transition Relation 

We represent the transition relation T as a disjunction |^J T e of events e. Each event T e is repre- 

sented as an MDD of high 2 K, with level 2 k encoding variable x k before the transition and level 
2k — 1 same variable x' k but after the transitiorQ 

This disjunction representation is well suited for globally-asynchronous locally-synchronous 
systems, where each event encodes some local transition. However, we could end up with many 
events that are just the identity relation for most variables. The numerous “identity patterns” in the 
MDD are very expensive to deal with, both in terms of memory usage and computation time. To 
avoid this problem, we chose yet another reduction rule of nodes, different than the two already 
presented in definitions 3.4 on page[3]and|3.5|on page[4] the full-identity reduction from [8], 




Figure 5. An identity pattern in a reduced MDD (left) and its identity reduced equivalent (right). 

An example of such an identity pattern and its full-identity reduction is shown in Figure [5] In 
this figure, edges leading to terminal 0 are omitted for clarity. 

6 That is, we consider T e as a part of S X S = Sk X Sk X ... x Si x Si. It is interesting to notice, that T e does not 
need to be a function S — * S, allowing to model non deterministic behaviors. 
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Table [I] shows the execution time with standard reduction and full-identity reduction rules for 
the classical model of dining philosophers. 


Model 

size 

standard 

(sec) 

full-identity 

(sec) 

50 

0.36 

0.02 

100 

1.68 

0.04 

200 

7.85 

0.07 

400 

36.72 

0.20 

1000 

— 

0.91 

7000 

— 

37.47 


Table 1 . Execution time for building the transition relation using standard and fully-identity reduced 
MDDs (“ — ” means “out of memory”). 


5.3 State Space Construction 

For state space construction, we use the Saturation algorithm [6] instead of the classical breadth 
first search exploration. This heuristic often gives spectacular improvements when building the state 
spaces of globally-asynchronous locally-synchronous systems. This is certainly the major source 
of improvement of our implementation over existing BDD libraries. 

As advised in [8], we chose to merge all events e with same topmost affected levej^jin the same 
MDD. The cost of the unions slows down the generation of the transition relation but generally 
makes the state space construction up to several times faster. 

5.4 Experimental Results 

Our new model checker comprises 7000 lines of ANSI-C code for the library and 4000 lines for the 
simple model checker that provides a common interface to our library and CUDD. Table [2] on the 
facing page shows execution times for finding deadlocks on a suite of classical models. The search 
for deadlocks in a deadlock-free system equates to building state space. Programs to generate all 
models can be found in the examples directory of our simple model checker source distribution, 
available at http : / /research . nianet . org/ ~ radu/evmdd/ We collected the results on 
a Linux machine with Intel Core 2 processor, 1 .2GHz, 1 .5GB of memory. 

Compared to the first implementation of saturation algorithm [6] in the tool SMART, our new 
implementation is always several (up to a few dozens) times faster. This is due to both the encoding 
of the transition relation and our simple C implementation in comparison to the object-oriented C++ 
version. 


6 Conclusions and Future Work 

We studied the advantages of the EVMDD data structure over the widely used MTBDDs for the 
construction of transition relation of finite state systems and implemented them in a library, along 
with state-of-the-art algorithms for state space generation. We obtained execution times several 
orders of magnitude faster than the CUDD library and classical algorithms, with a reduced memory 
usage enabling to handle extremely large systems. Future work should focus primarily on integrating 
our library into the SAL model checker. 

7 i.e. same value of max { k \ Si, j S Sk ■ i ^ j A ( i , j) £ T e } 
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Model 

Reachable 

CUDD 

EVMDD 

Model 

Reachable 

CUDD 

EVMDD 

size 

states 

(sec) 

(sec) 

size 

states 

(sec) 

(sec) 

Dining philosophers 

Kanban assembly line 

100 

4 x 10 b “ 

5.15 

0.04 

10 

1 x 10 9 

0.84 

0.01 

200 

2 x 10 125 

1493.36 

0.10 

20 

8 x 10 11 

811.89 

0.04 

1000 

9 x 10 626 

— 

1.10 

100 

1 x 10 19 

— 

3.25 

10000 

4 x 10 6269 

— 

77.77 

200 

3 x 10 22 

— 

32.31 

16000 

2 x lO 10031 

— 

196.84 

400 

6 x 10 25 

— 

697.90 

Round robin mutual exclusion protocol 

Knights problem 

40 

9 x 10 id 

4.04 

0.46 

5 

6 x 10 Y 

921.95 

0.30 

60 

1 x 10 2 ° 

15.59 

1.54 

7 

1 x 10 15 

— 

3.73 

100 

2 x 10 32 

599.16 

7.42 

9 

8 x 10 24 

— 

47.80 

200 

7 x 10 62 

— 

75.94 

Randomized leader election protocol 

Slotted ring protocol 

6 

2 x 10 b 

4.62 

1.20 

10 

8 x 10 9 

1.07 

0.01 

7 

2 x 10 7 

23.87 

3.69 

20 

2 x 10 2 ° 

1804.48 

0.04 

8 

3 x 10 8 

176.16 

10.04 

100 

2 x 10 105 

— 

3.74 

9 

5 x 10 9 

810.36 

24.86 

300 

3 x 10 318 

— 

111.29 

10 

6 x 10 10 

— 

85.54 

500 

5 x 10 531 

— 

505.04 

11 

9 x 10 11 

— 

423.41 


Table 2. Execution times for finding deadlocks using our library or CUDD (“ — ” means “> lhour”). 


Our results show that, as old fashioned as it may seem, symbolic model checking remains an ef- 
ficient technique for analyzing globally-asynchronous locally-synchronous systems and significant 
improvements are still possible. 
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